The UK Information Commissioner’s Office (ICO) has fined a medical contractor £200,000 for letting confidential conversations between patients and fertility doctors appear online.
The privacy regulator found that the medical contractor, HCA International Ltd, had not taken adequate steps to ensure that its data processing contractor, which is based in India, had taken the right steps to protect personal conversations between doctors and patients.
The regulator stated that HCA International had recorded conversations regarding fertility treatment between patients and doctors and these recordings were sent without encryption to the data processor via email. The data processor contractor was responsible for transcribing the conversations.
The ICO said that the contractor used an unsecured server to store the conversations and transcriptions, and anyone could access this data as access to it was not restricted. As a result, the conversations appeared online.
The privacy watchdog went on to add that this situation could have been avoided had HCA International made an effort to check the methods that the data processing contractor used to ensure data security.
ICO Head of Enforcement Steve Eckersley stated that patients had discussed extremely private medical concerns with their fertility doctors, and they did not expect that this conversation would be available online for others to hear and read.
Eckersley added that it was the responsibility of the medical contractor and the private hospital to ensure that any patient-related data is maintained in a secure manner. When data is not encrypted, it means that anyone can gain access to it.
This fine by the ICO highlights the importance of keeping personal data secure. This is especially true for healthcare contractors who use third-party contractors for data processing. Medical contractors should make sure that any third-party data processor uses the right technology so that access to the personal data of patients is restricted.